Krebs on Security

In-depth security news and investigation

A 19-year-old Canadian man was found guilty of making almost three dozen fraudulent calls to emergency services across North America in 2013 and 2014. The false alarms, two of which targeted this author — involved phoning in phony bomb threats and multiple attempts at “swatting” — a dangerous hoax in which the perpetrator spoofs a call about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with deadly force.

Curtis Gervais of Ottawa was 16 when he began his swatting spree, which prompted police departments across the United States and Canada to respond to fake bomb threats and active shooter reports at a number of schools and residences.

Gervais, who taunted swatting targets using the Twitter accounts “ProbablyOnion” and “ProbablyOnion2,” got such a high off of his escapades that he hung out a for-hire shingle on Twitter, offering to swat anyone with the following tweet:

Several Twitter users apparentlytookhimuponthatoffer. On March 9, 2014, @ProbablyOnion started sending me rude and annoying messages on Twitter. A month later (and several weeks after blocking him on Twitter), I received a phone call from the local police department. It was early in the morning on Apr. 10, and the cops wanted to know if everything was okay at our address.

Minutes after my local police department received that fake notification, @ProbablyOnion was bragging on Twitter about swatting me, including me on his public messages: “You have 5 hostages? And you will kill 1 hostage every 6 times and the police have 25 minutes to get you $100k in clear plastic.” Another message read: “Good morning! Just dispatched a swat team to your house, they didn’t even call you this time, hahaha.”

I told this user privately that targeting an investigative reporter maybe wasn’t the brightest idea, and that he was likely to wind up in jail soon. On May 7, @ProbablyOnion tried to get the swat team to visit my home again, and once again without success. “How’s your door?” he tweeted. I replied: “Door’s fine, Curtis. But I’m guessing yours won’t be soon. Nice opsec!”

I was referring to a document that had just been leaked on Pastebin, which identified @ProbablyOnion as a 19-year-old Curtis Gervais from Ontario. @ProbablyOnion laughed it off but didn’t deny the accuracy of the information, except to tweet that the document got his age wrong.

A day later, @ProbablyOnion would post his final tweet before being arrested: “Still awaiting for the horsies to bash down my door,” a taunting reference to the Royal Canadian Mounted Police (RCMP).

A Sept. 14, 2017 article in the Ottawa Citizen doesn’t name Gervais because it is against the law in Canada to name individuals charged with or convicted of crimes committed while they are a minor. But the story quite clearly refers to Gervais, who reportedly is now married and expecting a child.

The Citizen says the teenager was arrested by Ottawa police after the U.S. FBI traced his Internet address to his parents’ home. The story notes that “the hacker” and his family have maintained his innocence throughout the trial, and that they plan to appeal the verdict. Gervais’ attorneys reportedly claimed the youth was framed by the hacker collective Anonymous, but the judge in the case was unconvinced.

Apparently, Ontario Court Justice Mitch Hoffman handed down a lenient sentence in part because of more than 900 hours of volunteer service the accused had performed in recent years. From the story:

Hoffman said that troublesome 16-year-old was hard to reconcile with the 19-year-old, recently married and soon-to-be father who stood in court before him, accompanied in court Thursday by his wife, father and mother.

“He has a bright future ahead of him if he uses his high level of computer skills and high intellect in a pro-social way,” Hoffman said. “If he does not, he has a penitentiary cell waiting for him if he uses his skills to criminal ends.”

According to the article, the teen will serve six months of his nine-month sentence at a youth group home and three months at home “under strict restrictions, including the forfeiture of a home computer used to carry out the cyber pranks.” He also is barred from using Twitter or Skype during his 18-month probation period.

Most people involved in swatting and making bomb threats are young males under the age of 18 — the age when kids seem to have little appreciation for or care about the seriousness of their actions. According to the FBI, each swatting incident costs emergency responders approximately $10,000. Each hoax also unnecessarily endangers the lives of the responders and the public.

In February 2017, another 19-year-old — a man from Long Beach, Calif. named Eric “Cosmo the God” Taylor — was sentenced to three year’s probation for his role in swatting my home in Northern Virginia in 2013. Taylor was among several men involved in making a false report to my local police department at the time about a supposed hostage situation at our house. In response, a heavily-armed police force surrounded my home and put me in handcuffs at gunpoint before the police realized it was all a dangerous hoax.

This entry was posted on Monday, September 25th, 2017 at 11:49 am and is filed under Other.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

Yes, and most of them have been committed by one person: Julius Kivimaki. It doesn’t seem to matter how many cybercrimes you commit in Finland or how atrocious they are (and his were quite heinous and voluminous) they treat cybercriminals with kid gloves.

That’s the difference between a civilized nation (Finland) and one thats justice system fucks people lives for cybercrimes (USA). It’s pretty obvious that people that are under 20 or were minors shouldn’t be getting jail time for cybercrimes. That’s counterproductive in almost every way, these kids will become hostile towards the system and only cause more harm in future. Give them a small fine and maybe probation for the worst offenders, that should be enough to scare the majority of. People like Kivimäki are an expection and for sure he will be getting harsher punishments if he continues behaving like this. I’m pretty sure he has already done some time in jail.

In Finland, as in most of nordic countries and other well-being countries of europe, the aim is to rehabilitate convicts so the sentences or general jail time aren’t so damn high. “Lifetime” sentence in Finland means on average 14 years of prison and thats only for the most cruesome killers, you can basically get away with a murder and only sit slightly under 10 years.

I don’t know how long are what kind of punishments you want for cybercriminals but I think they are pretty reasonable and the answer definitely isn’t years of prison.

Sorry, but Kivimaki belongs in a cage, or in a mental ward (or cage in a mental ward). I grow pretty tired of this attitude that hackers shouldn’t do real jail time just because they’re young, and that we should find better ways to use their talents. Screw that. If you can’t do the time, don’t do the crime. Some of these guys are doing some really bad stuff that puts peoples’ lives at risk and causes lasting damage to others.

“According to the article, the teen will serve six months of his nine-month sentence at a youth group home and three months at home “under strict restrictions, including the forfeiture of a home computer used to carry out the cyber pranks.”

He’s married? Expecting a child, and going to live in a home for brats?

Agree on this one. Immature and devious ‘pranksters’ should not fathering children. If his wife is reading this… get out while you can and take your child with you. I would not have been as lenient as the judge. These were planned and deliberate criminal acts. The guy is likely to get worse before better.

The judge should have thrown the book at him. Swatting is no joke and these lil skiddies need to be taught a lesson. They act with inflated egos and near impunity because they know they are under-age and will get light sentences if caught. That needs to change.

You are 100% correct. And this is why it will continue because judges think it’s cute and “smart”, and so they move onto other things like the millions of scams being done yearly. Those many scams, almost nothing is done about them.

But Brian, I was thinking it might be useful for you to post a page that documents all of the crime and resulting punishment that you are aware of. If more hacker wannabes were made aware that a good percentage of these people around the world get caught it could discourage some from starting.

The real shame is that many talented computer people could make a good, secure living using their abilities in a lawful (or mostly lawful) manner.

Early in my computer security career (mid-1980’s) I jokingly suggested that the best way to stop the bulk of phone phreaks, hackers, etc., was to get all males 16-25 years old girlfriends or wives. They’d then be too busy to do this kind of stuff.

The problem really is that police are clumsy enough to be susceptible to this type of attack. It’s like when a company gets hacked, the blame is on the company, because it’s difficult if not impossible to track the attackers down, and if it’s possible, someone will eventually do it. The fact that a SWAT team can be fooled by a kid is pretty bad security. The blame should be on the lack of SS7 security (phone spoofing) and lack of training and protocol by the SWAT teams.

The irony of course, is that now his dox is out there, he may get swatted himself lol.

the teenager is my daughter him on line when he was not meant to be using a computer and she flew to Canada without my knowledge to me this evening that my daughter who will have nothing to do with me for some reason is now pregnant, I am in utter shock. She flew from the UK so he was using a computer when he was not meant to that is how they met

Doxbin was a site, although not the founder, the operator for most of its existence was nachash, except for a brief period where he tried to hand things off to a protege whose name I can’t recall. That service, along with a companion revenge porn operation called Pinkmeth, both came down thanks to Operation Onymous back in 2014.

The internet is full of egotistical blackhats, but nachash was the real deal – a sort of digital Jason Bourne. He’s the second scariest person I’ve ever encountered online, and his dox work was always deadly accurate.

Outside of the nuisance and possible physical harm due to misunderstandings at the site, diverting emergency resources unnecessarily endangers the rest of the community should a real emergency happen. Like calling in a false fire alarm, this puts the whole community at risk, not just the swatting victim.

Perhaps the judge didn’t consider this at the trial. If another family was taken hostage when the cavalry was at the opposite end of town chasing phantoms his verdict may have been different.

Many USA jurisdictions have a crime known as “felony murder”. If somebody loses their life, for any reason whatsoever, during the commission of a felony it’s considered murder, and the person doing the felony is the murderer.

It would be good to update the laws to clarify that felony murder applies to SWATting.

You’ve been involved in investigative reporting on computer security for over 15 years. In the world of computer security I assume everyone has heard of you. You have taken down multiple hackers. My question is, do the hackers that try to hack you, know who you are and your CV? Or is it that teen hackers just think they are smarter than everyone?

No idea. Hubris, youth and naivete obviously play a role, but beyond that I can’t really get inside their heads. I think at some point it became fashionable in certain circles to invoke my name or likeness for selling cyber crimey goods and services, and for a long time it’s been vogue to taunt and threaten me for cool points. Seems likely that some of these guys just take it to extremes at their own peril.

If you can keep it up. That seems to be the problem. It’s relatively easy to keep your opsec in good shape most of the time. But all it takes is one careless slip-up. The kind of patient diligent caution required is definitely *not* the strong suit of kids like this.

Even the right-leaning US Supreme Court ruled in favor of not sentencing adolescent offenders as adults–to some degree. The feeling of power that certain kinds of teens experience at keyboards connected to powerful computers can’t be overstated. Many aren’t qualified or inclined to get into analogous trouble in the tangible world. For myself, I’d like to know the recidivism rate for young hackers with a similar background who committed similar crimes–to see if the penalties are appropriate. Here’s a further suggestion: the sentences of teens who commit felonies should include ‘poison pill’ provisions that send them to additional time in adult prisons for their teenage felonies if they commit felonies as young adults, especially for the same crimes they committed when young. Just sayin.

I am not a public figure, but if I was and could afford it, I would get a second address to use as an address for my driver’s license and other credentials and documents. This would put a buffer between my actual residence and buffer address, where all my mail would come. An inexpensive mobile home and travel trailer lot could work for this. Unfortunately, many states will not let you use a P.O. Box for an address for state documents.

The number of (and it’s a word I don’t use lightly, as I normally hate it in how it’s overused) Legendary takedowns by Brian here, in a relatively short time, is seriously impressive, and makes it all look rather effortless – it’s good fun cackling at the misfortunes of those who’ve attempted to wrong the author and/or others.

Young smart people especially those who have enough time to engage in this can be social outcasts from normal society even though they have a digital social life. Sentencing needs to include hundreds of hours of community service teaching law enforcement cyber divisions everything they know, and hopefully in doing so, leading them away from the dark side of the force and into a career leveraging their talents for good. We are going to need them, because the bad guys are not going away anytime soon.

I am in utter shock today to learn the my 18 year old daughter got married and the parents encouraged it and now she is pregnant after flying out from the Uk and meeting this person on line when clearly he should not have been using a computer so sad she is ruining her life